Detailed configuration and permission allocation of cvsnt in windpws platform County

CVS is currently the most common version control and software configuration system. Its open-source nature is indispensable in its popularization. However, it is caused by open-source that it is easy to use. A function can be implemented only through several seemingly unrelated operations. In Windows, the multi-account configuration of CVS is very important, but it is not easy to operate. Several difficulties are as follows:

CVS originated from Unix systems, and its portable version of Windows does not have server functions. In Windows, the cvsnt software is usually used to establish cvs repository, but the cvsnt operation method is slightly different from the original CVs. CVS itself is a command line form, and its configuration process is complicated. For multi-account configuration of CVs, You need to manually modify the files in the cvsroot folder of repository, which lacks a unified interface. After the cvsnt server is installed, the default user is to create a login account for the repository Windows system, but when many people develop, no one wants everyone to use the same name for commit; more importantly, we may need to configure developer permissions. For example, to restrict some people to view programs only, some people can commit programs, and some people can add new modules. The following are detailed steps. The environment is cvsnt 2.5.03 (build 2151) + tortoisecvs 1.8.25:

1. Create a repository using cvsnt. Assume that the administrator password of Windows is used for Logon. repository uses the pserver protocol. The IP address is 1.2.3.4, the port number is 2401, the repository name is/testrep, And the password is 123. The Administrator is also the repository administrator.

2. to configure multiple users, you must modify several files in the cvsroot directory of repository. First on the client, set: pserver: administrator@1.2.3.4/testrep to the cvsroot environment variable (note that the cvsroot directory and cvsroot environment variables are distinguished ). Log on to CVS with administrator and check out the cvsroot directory. The command is as follows:

CVS login // input the password 123 CVS Co cvsroot

3. Add a Windows account dedicated to CVS operations to windows on the server side. All CVS accounts must be mapped to this Windows account for actual operations. Although many documents did not mention the need to create a Windows account, but I found that this account is not in use in my experiment, CVs will report errors without this account when performing any operations later. Assume that the new account is cvsuser. Use Windows commands

Net user cvsuser cvsuserpassword/Add

You can add this account. After adding the cvsuser permission, remember to add/testrep to the actual folder permission on the server, otherwise, any CVS account mapped to the cvsuser will not be able to perform the normal commit operation because it has no write permission. First, find "Folder Options" in the "Tools" menu in the resource manager on the server, and find the "use simple folder sharing" project in the "View" tab that appears later, deselect the preceding check box and click OK. Right-click the/testrep folder and click Properties ". The "security" tab is displayed in the subsequent dialog box. We need to add the read and write permissions of cvsuser here.

4. add your own account for CVs. By using the command CVS passwd, we can add any number of CVS accounts (of course, only for the current repository ). All account information is stored in the passwd file in the cvsroot directory. However, this file cannot be checked out. It can only be seen on the server, and its Stored Password information is encrypted. We can add users such as cvsadmin, user1, user2, and anonymous. For example, the command for adding cvsadmin is:

CVS passwd-a-r cvsuser cvsadmin // enter the cvsadmin password again

In this way, the cvsadmin account is added and mapped to the Windows Account cvsuser (-A indicates adding an account, and-R indicates copying to the operating system account. I want to use cvsadmin as the Postmaster of/testrep. This is 01:10. If this parameter is not set, after changing CVS to "only use CVS Account Verification Mode", there is no chance to add an administrator (because only the administrator can view and operate the cvsroot directory ).

5. Set cvsadmin as the CVS administrator. Add a new file named admin under the cvsroot directory of the client. Write the account name of each CVS account to be promoted to the administrator in the file, with one account name per line. Of course, the promotion of cvsadmin takes effect only when the admin file is put on the server. However, submitting the admin file does not work. Before submitting it, you must add the admin information to the checkoutlist file. The format of checkoutlist is described in the file. It is a carriage return error message in the format of "Space File Name Space ". Add a record in it:

Admin adminerror

Note that a space must be left before admin.

6. when the new CVS administrator and account information are ready, you need to change the/testrep Account Verification Mode from "Operating System Integration Verification Mode" to "only use CVS Account Verification" mode. This avoids the trouble of Operating Windows accounts to use multiple users in CVS. The configuration file in the cvsroot directory. Open the config file of the client and change # systemauth = yes to systemauth = No (note that there is no space before systemauth after # is deleted ). Save the config file after modification.

7. Submit all updates in cvsroot to the server, and our settings will take effect. The command is as follows:

CD cvsroot CVS add-M "" Admin CVS commit-M ""

However, before submission, you may want to change the cvsroot owner from the original administrator to cvsadmin. Use the command CVS chown to do this. After the cvsroot directory is submitted, the verification mode changes immediately and the cvsadmin takes effect at the same time. In this case, CVS cannot be used as the administrator. Use the cvsadmin account to log on again and continue the following operations.

8. Modify the read/write permissions. CVS has two methods to set read and write permissions. One is coarse-grained and the other is fine-grained. Only the CVS administrator can modify the access permissions. The coarse-grained method is to add readers or writers files to cvsroot. Any account added in readers only has read permission on the current database. The format of adding an account is one account name per row. For example, we add the readers file to the cvsroot directory of the client, put anonymous, a new account, and then commit the readers file to the server. Anonymous cannot perform commit. The actual test result is to execute the commit command after logging in with anonymous, and the system reports that the execution is completed normally. But in fact, nothing is committed, exposing the imperfection of CVS in the human-machine interface. The operations on the writers file are the same as those on readers. If an account name is simultaneously written to two files, this account has only read-only permission. The fine-grained method is to use the chacl command. For example, there are three projects in/testrep: project1, project2, and project3. Run the following command:

CVS chacl-u user1-a none-D project1, project2, project3 CVS chacl-u user1-a all-D project1 CVS chacl-u user1-a read, write-D project2 CVS chacl-u user1-a read-D project3

This allows user1 to have full control over the project1 directory, read and write permissions to the project2 directory, and read-only permissions to the project3 directory. The first command First deletes all permissions of user1, and three different directory permissions are set in the subsequent three commands.

9. Use an account group to organize accounts. Add a group file under the cvsroot directory of the client. The format of this file is:

Group name 1: username 1, username 2, username 3 ,...... Group name 2: User name 5, user name 7 ,...... ......

After modifying the group file, commit it and use the chacl command to modify group permissions.

 

-------------------------------------------------------------------------

 

 

CVS operation manual version 1.1 [transfer]

--------------------------------- 1 precautions before installing the server: This manual is based on cvsnt 2.5.03 build 2382, the operation interface and option settings will change accordingly. The CVS container (repository) and Temporary Folder (temp) must be installed on the cvsnt server. The cvsnt must be used as a [SERVICE 〕, we recommend that you use the system account for execution (for two reasons: 1. system does not have network permissions, that is, it cannot be used as a remote service; 2. When the system account does not perform operations, cvsnt service is still online) cvsnt is recommended to be run on a server using the NTFS file system (for two reasons: 1. the NTFS file system has the permission management foundation required by CVS; 2. NTFS file system is more stable and can have greater storage capacity) 1.1 install and configure cvsnt 1.1.1 create CVS containers and temporary folders such as: D:/cvsntreposi Tories (container) D:/cvstemp (temporary) (Note: The Temporary Folder cannot be located in the temporary folder of the operating system. For example, C:/winnt/temp or C:/Documents and Settings) 1.1.2 click cvsnt to install the program, which includes the client and server. (Note: 1. If the server uses Windows XP, 2003, or a later version, its [WMI Service] service may cause a permission denial error. Please disable it before installation, after the installation is complete, enable it again. 2. Check whether the client and server versions match. 3. You may need to restart the agent after installation) 1.1.3 before changing the settings of a CVS container through [start]-[Program]-[cvsnt]-[cvsnt Control Panel] to open the CVS Control Panel (or open it in the control panel, stop the cvsnt and cvsnt lock services. Click the [repository configuration] tab and click [add] to add a container: in the [location] field, enter/select the directory where the container is located (created in step 1); in the [name] field, enter the container name, which must comply with the rules: it must start with "/", such as "/cvsntroot ". (Note: If you want the new container to take effect, you must check the [Publish repository] [Online] Option) 1.1.4 CVS Temporary Folder settings. Click the [server settings] tab, in [temporary], select the CVS Temporary Folder created in step 1. Restart the cvsnt and cvsnt lock services. If the service cannot be started, check the permission settings in the folder where the container is located or restart the server. 1.1.5 update the list of binary files on the CVS server (Note: This is very important. If you do not add known binary file types to the list of binary files, the files may be corrupted when uploading such files) operate on the command line prompt: Set cvsroot = D:/cvsntrepositories/repo1 (log on to the server as administrator, Local Operation Mode) CVS Co cvsroot CD cvsroot notepad cvswrappers (edit the list file in notepad, for example )*. cab-K 'B '*. class-K 'B '*. doc-K 'B '*. DLL-K 'B '*. exe-K 'B '*. EXP-K 'B '*. GIF-K 'B '*. GZ-K 'B '*. jar-K 'B '*. jpg-K 'B '*. JPEG-K 'B '*. lib-K 'B '*. MSI-K 'B '*. MSO-K 'B '*. pfw-K 'B '*. PNG-K 'B '*. PPT-K 'B '*. sit-K 'B '*. tar-K 'B '*. TLB-K 'B '*. sealing-K 'B '*. XLS-K 'B '*. WMZ-K 'B '*. zip-K 'B' CVS commit 1.1.6 server-side CVS permission settings cvsnt server permission control includes two parts: ntfs acl prevents unauthorized users from accessing the CVS container cvsnt ACL. There are two methods to prevent developers from logging on to the version branch cvsnt due to a commit error: windows user authentication and cvsnt user authentication Hybrid Authentication Mode cvsnt user authentication single Authentication mode because Windows does not allow any non-real accounts to operate on the file system, therefore, the user created using cvsnt is actually a Windows user alias (ing), and its relationship is as follows:

This document describes how to set the hybrid mode verification.

To set the permissions of a container, follow these steps: 1) log on to the server as administrator; 2) create a Windows user group for cvsnt, and describe the management of all CVS containers in cvsadmins using the user group name, you can update the file cvsadmin-xxx in all containers. the permission of a container cvsusers is granted to all CVS users. You can use the checkout file. However, the checkin/commit action is controlled by the cvsroot/writers file. Note: if the cvsnt is deployed on a Windows + server, make sure that the user group has the command cmd. EXE permission, because the operating system does not have the default 3) set cvsroot permission control file cvsroot filename description admin is allowed to execute the CVS administrator command username list (not controlled by source code management) passwd records cvsnt account name and password (encrypted, not controlled by source code management) group records cvsnt group information, format: group name : Username 1 username 2 username 3 ...... Readers user name that can read data single writers is allowed to perform write operations (COMMIT) User Name single config configuration document of a cvsnt container systemauth yes: Mixed verification no: single authentication to log on to the server as administrator, switch to the directory where the CVS container is located by using the command line. For example, D:/cvsntrepositories/repo1/cvsroot sets the admin file and creates an admin file using "Echo cvsadmin> admin, "username" and "admin" cannot contain spaces to set the writers and config files (not in the CVS container folder). Set cvsroot =: pserver: cvsadmin @ host: /repo1 CVS login CVS Co cvsroot CD cvsroot notepad config echo username> writers, if the deadlock occurs, go to the CVS container to delete writers and writers. V file) CVs add writers (used when this document is created) CVs commit 4) sets the permission for the folder where the cvsnt container is located

Directory/File System Administrators cvsadmins cvsadmin-xxx cvsusers description. /cvsnttemp full open permission. /cvsntrepositories full read. /cvsntrepositories/repo1 full read full single container. /cvsntrepositories/repo1/cvsroot full read prevents common users from changing the configuration file. /cvsntrepositories/repo1/cvsroot/history full read full Change Record CVS user history. /cvsntrepositories/repo1/cvsroot/val-tags full read full change CVS user checkout Note: The history file has changed significantly since cvsnt 2.5.x, cvsnt does not automatically generate historical records. Therefore, no history file in the cvsroot folder of container repo1 needs to be manually created and named history

Set Project permissions in a container:

1) Add the cvsnt user Syntax: CVs passwd [-A] [-x] [-x] [-r real_user] [-R] [-D domain] [username, -A indicates adding a cvsnt user;-X indicates canceling a cvsnt user;-X indicates deleting a cvsnt user;-r indicates binding a cvsnt user to a specified system user; -R indicates canceling the binding between a cvsnt user and a system user;-D indicates the domain; username indicates that the cvsnt user to be created does not add a parameter to change the current logon user password. You can use the following command to create a ing: CVs passwd-a-r 2) set the cvsnt user permission Syntax: chown CVS chown [-R] user [directory…] -R indicates recursion. CVS chown-r cvsadmin. The preceding command sets the owner of the server directory corresponding to the current directory and Its subdirectories as the cvsadmin user.

Chacl CVS chacl [-R] [-r branch] [-u user] [-J branch] [-N] [-P priority] [-m message] [-[ no] {read | write | create | tag | control }[, …] [-D]-r indicates recursion;-r branch indicates modification to the branch permission;-A indicates setting the user permission; and-d Indicates deleting the user permission. CVS chacl-r-u cvsuser2-a read, write, create, Tag. the preceding command grants the cvsuser2 user the permission to read, write, create, and tag the Server Directory corresponding to the current directory and its sub-directories. CVS chacl-u G2-a read, nowrite helloworld. java the preceding command grants the read permission to the helloworld. Java document in the current directory of the G2 group and denies the write permission. CVS chacl-u cvsuser2-D. The preceding command disclaims all permissions of the cvsuser2 user on the server directory corresponding to the current directory.

Lsacl CVS lsacl [-Dr]-D indicates that only directory permissions are listed, and-R indicates recursion.

3) Please note: this is a cvsnt 2.5.03 build 2382 bug. When you enter the project client folder that has been checkout by CVS, and you are not logged on using the account used by checkout, CVS automatically changes you to the account used for checkout. Hazard Description: attackers can exploit this vulnerability to gain control of others' accounts or even the highest administrator privilege. Solution: Do not use your account checkout project, especially the Administrator account, on others' computers during use.

1.1.7 test the cvsnt service. After the above settings, the cvsnt server has been deployed and needs to be connected for testing. In command line mode, perform the following operations: Set cvsroot =: pserver: username @ host: /repo1 CVS login is successful without error prompt.

1.2 The installation and configuration of copssh can be used in the CVS application to improve the security of data transmission. The SSH communication protocol can be used to replace the pserver standard protocol. Among many SSH service programs, as of the time I wrote this article, copssh is the best open-source project to support various client programs. The installation process is very simple. After completing the installation, You need to [activate a user] and [start]-[Program]-[copssh]. Note that you must use a Windows account for copssh, the cvsnt account is not supported. You can bind windows and cvsnt accounts. Copy the following files from the cvsnt installation folder to cvs.exe cvsapi in the bin directory of the copssh installation directory. DLL dbghelp. DLL extnt. DLL msvcp71.dll msvcr71.dll cvstools. DLL iconv. DLL mdnsclient. DLL, set the permission for the temporary copssh folder directory/File System Administrators cvsadmins cvsadmin-xxx cvsusers description. /Documents and Settings/svccopssh. xxx/Local Settings/temp full

Connection test

Set cvsroot =: SSH: username @ host:/repo1 after entering the password for CVS login, you will be asked to accept the public key. 1.3 Delete insecure CVS communication protocol (optional) Delete the corresponding DLL file in the protocols directory in the cvsnt installation folder.

2. precautions before installing the client: the Microsoft vs series tamtam plug-in is a paid software.

The installation of the client is relatively simple. Here we only introduce the following points: Install the cvsnt client first. The text comparison tool bundled with tamtam plugin does not support multi-byte characters (Chinese, Japanese, and so on). Please use winmerge and bind it in settings. Specify the CVS. EXE used by tamtam plugin as cvsnt to maintain stable compatibility. To speed up network transmission, enable the network compression option. when entering the connection string, use the SSH communication protocol, for example, SSH: username @ host:/repo1.

3. Routine maintenance of cvsnt 3.1 the backup of the container is backed up by a script file (added to the [task plan]) or a [Backup] program. The content is like: net stop cvsnt xcopy D: /cvsntrepositories// Server/cvsbackup/Q/S/C/H/R/O/y Net start cvsnt